---
###
The requirement is to securely consume cross-account sensitive parameters from AWS Systems Manager Parameter Store in a CI/CD pipeline. AWS imposes specific constraints and features for cross-account parameter access, and the correct solution must align with those constraints.
First, cross-account sharing of Parameter Store parameters is supported only for Advanced tier parameters. Standard tier parameters cannot be shared across accounts. Therefore, Option A is required, and Option C is invalid.
Second, cross-account access to Parameter Store parameters is implemented using AWS Resource Access Manager (AWS RAM). RAM allows the central account to explicitly share the parameter resource with the CI/CD account. Without RAM, the parameter is not visible or accessible across accounts. This makes Option F mandatory.
Third, because the parameter stores sensitive credentials, encryption must be handled securely. When sharing encrypted parameters across accounts, AWS requires the use of a customer managed AWS KMS key, not an AWS managed key. The key policy must explicitly grant `kms:Decrypt` permission to the consuming account. AWS managed keys cannot be shared across accounts, which makes Option D invalid and Option E correct.
Although the CI/CD pipeline’s IAM role must ultimately have permission to read the parameter, that permission is implicit in the consuming account once the parameter is shared and the KMS key policy allows decryption. The critical cross-account enablers are Advanced tier, RAM sharing, and a customer managed KMS key.
Therefore, the correct combination is A, E, and F.
